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METHOD AND SYSTEM FOR CONDUCTING TRANSACTIONS 
USING A PAYMENT CARD WITH TWO TECHNOLOGIES 

SPECIFICATION 

PRIORITY APPLICATION 

5 

This application is based on United States provisional application 
60/337,913 filed on December 6, 2001, entitled "Method and System for Conducting 
Transactions Using a Payment Card With Two Technologies," which is hereby 
incorporated by reference. 

10 BACKGROUND OF THE INVENTION 

This invention relates to a method and system for conducting financial 
transactions using payment cards having account information stored therein and 
readable by two different technologies. 

In today's marketplace, payment cards - such as credit, debit, and 

15 prepaid cards - are ubiquitous methods of payment. As used in this application, the 
term "payment card" includes not only payment cards in ISO 7810 ED-1 form factor, 
but also any other form factors that may hold payment account information, such as 
mobile phones, personal digital assistants (PDAs), and key fobs. 

Most payment cards in use today use a magnetic stripe on the card to 

20 store payment account information for authorizing a transaction. Typically, to 

authorize a payment, the payment card is swiped through a card reader that reads the 
account information from the magnetic stripe on the card. 

A drawback associated with the use of a magnetic stripe payment card 
is that it may be relatively time consuming and/or difficult to handle for certain 

25 applications. For example, when a consumer desires to pay for gasoline at the pump, 
the consumer typically wishes to conduct a fast transaction. The fact that a consumer 
must align the magnetic stripe on the payment card in the correct orientation for a 
card reader and swipe the payment card in a certain direction with a certain velocity 
means that a consumer must often fumble with the card to align it properly and may 

30 need to swipe the card more than once before the card reader is able to properly read 
it. In this situation, therefore, a conventional payment card may not be as fast and/or 
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convenient a payment mechanism as a consumer might desire. The same also applies 
to purchases of fast food at fast food restaurants and convenience items at 
convenience stores. 

To overcome the lack of speed and/or handling convenience of 
5 payment cards in the situations mentioned above, some companies have introduced 
other methods of payment. For example, the Exxon Mobil Oil Company has 
introduced the SPEEDPASS device. The SPEEDPASS device uses a radio frequency 
(RF) transmitter that transmits an identification code to an RF receiver installed either 
at the gas pump or at a payment register. To use the SPEEDPASS device, a user 

1 0 waves the device in close proximity to the RF receiver at the pump or register and 
waits for a light to indicate that the RF receiver has received and processed the 
identification code. 

While convenient, the drawback with RF payment devices is the 
possibility of unauthorized reading of the identification information from these 

15 devices. That is, a person may utilize a concealed or camouflaged RF reader to steal 
the identification information from a user's RF payment device and use the stolen 
information to later conduct fraudulent transactions. To avoid unauthorized reading 
of the identification information, the information may be transmitted in encrypted 
form. Secure encryption, however, can be complicated and/or expensive, especially if 

20 a global deployment and global acceptance of payment cards is desired. 

In addition, another drawback to the SPEEDPASS device is that it is 
only usable in a closed loop acceptance system (i.e., it is only usable at Mobil- 
supported terminals). It does not have the global acceptance of a payment card usable 
within a global payment network, such as the BANKNET network operated by 

25 MasterCard International Incorporated. 

Therefore, there exists a need for a payment device and mechanism 
that is quick, easy, fast and secure and globally interoperable. 

SUMMARY OF THE INVENTION 

According to the presently claimed invention, a payment device 
30 includes payment account information that is distributed between two different 
machine-readable technologies. Preferably, the payment device according to the 
presently claimed invention includes one or more digits of a payment account number 
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stored in the payment device in a first machine-readable technology and the remaining 
digits of the payment account number, if any, and other payment account information 
stored in the payment device in a second machine-readable technology different from 
the first machine-readable technology. The payment account information may be split 
5 between the two technologies in any manner and the split line may even be (as 
described above) within the payment account number itself. 

Preferably, the first machine-readable technology is bar-code 
technology and the second machine-readable technology is radio-frequency (RF) 
technology. While these are the preferred technologies, the first and second machine- 

10 readable technologies may be any technology known in the art, so long as different 
technologies are chosen. For example, in addition to bar code and RF technologies, 
the machine-readable technologies may be magnetic stripe, optical character 
recognition (OCR), audio-tone and infra-red technologies. 

Advantageously, with the presently claimed invention, if a person 

1 5 attempts to perform an unauthorized reading of the payment device (also known as 
"skimming") using one technology, the person will not be able to read the entire 
payment account information and cannot later use the skimmed data to conduct a 
fraudulent transaction. For example, assume that a payment card has a payment 
account number stored therein in bar-code technology and other payment account 

20 information (such as the expiration date) stored therein and readable by RF 

technology. If a person attempts to commit fraud by skimming account information 
from an RF transmission from the payment card, the person will not be able to use the 
skimmed account information because the payment account number is not transmitted 
over the RF channel. Therefore, the presently claimed invention provides a more 

25 secure manner of conducting a payment transaction. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Exemplary embodiments of the present invention will now be 
described in detail with reference to the accompanying drawings in which: 

Fig. 1 is a diagram of a payment card according to an exemplary 
30 embodiment of the present invention; and 
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Fig. 2 is flow chart of an authorization and authentication process 
between a payment card and a terminal according to a preferred embodiment of the 
present invention. 

DETAILED DESCRIPTION OF THE INVENTION 

5 The present invention is directed to a payment device and method that 

provides a quick, easy, fast and secure way to pay for transactions. According to the 
presently claimed invention, a payment device includes payment account information 
that is distributed between two different machine-readable technologies. Preferably, 
the payment device according to the presently claimed invention includes one or more 

1 0 digits of a payment account number stored in the payment device in a first machine- 
readable technology and the remaining digits of the payment account number, if any, 
and other payment account information stored in the payment device in a second 
machine-readable technology different from the first machine-readable technology. 
The payment account information may be split between the two technologies in any 

15 manner and the split line may even be (as described above) within the payment 

account number itself. Preferably, the first machine-readable technology is bar-code 
technology and the second machine-readable technology is radio-frequency (RF) 
technology. While these are the preferred technologies, the first and second machine- 
readable technologies may be any technology known in the art, so long as different 

20 technologies are chosen. For example, in addition to bar code and RF technologies, 
the machine-readable technologies may be magnetic stripe, optical character 
recognition (OCR), audio-tone and infra-red technologies. In many instances, one 
technology by itself would not be secure enough to protect payment transactions, but 
when data is split between two technologies in one device, payment transactions can 

25 be more securely supported. 

Fig. 1 is a diagram of a payment card according to a preferred 
embodiment of the present invention. As shown in Fig. 1, the present invention 
utilizes a payment card 10 with a bar code 20 thereon and radio frequency ID chip or 
circuitry 30 therein. The bar code may be graphically printed, imprinted or placed on 

30 the card in any manner known in the art. The bar code is encoded with at least one or 
more digits of the payment account number (PAN). Preferably, the bar code is 
encoded with, at a minimum, the most significant digits of the PAN, including the 
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BIN used to identify the issuer. A BIN (bank identification number) is a unique 
series of numbers that identifies the issuer of a card and which is used to route 
authorization request messages over existing payment card networks, such as the 
BANKNET network from MasterCard International Incorporated. 
5 The remaining account information is stored in the RF chip or circuitry 

30. If a partial PAN is encoded in the bar code, the RF chip or circuitry 30 includes 
the remaining digits of the PAN. Preferably, the RF chip or circuitry also includes the 
"Track 2" data typically found on the magnetic stripe of conventional payment cards 
except for the full PAN. Excluding the PAN, the Track 2 data typically includes the 

10 expiration date, a service code, and discretionary data (i.e., data defined by the issuer 
of the card). Specifically, the Track 2 data is in BCD format and contains 40 BCD 
characters consisting of 1) a start sentinel (1 BCD character); 2) a PAN (of up to 19 
BCD characters); 3) a field separator (1 BCD character); 4) an Expiry Date (4 BCD 
characters), 5) a Service Code (3 BCD characters); 6) discretionary data (the length of 

15 which is dependent on the length of the PAN); 7) end sentinel (1 BCD character); and 
8) longitudinal redundancy check (LRC) (1 BCD character). The length of the 
discretionary data field is dependent on the length of the PAN. For a standard 16- 
digit payment account number, there are 13 digits available for the discretionary data. 
Of course, while Track 2 is preferred, other data tracks on the magnetic stripe may 

20 also be used with the present invention. 

To use the card, a conventional point-of-sale (POS) or other payment 
terminal may be equipped with both an optical bar code reader that reads the bar code 
on the payment card and an RF receiver to receive the RF information. The 
information read using the two different technologies from the card is then combined 

25 in the reader into regular track data and processed in the same manner as a 

conventional payment card over existing payment networks. Preferably, the bar code 
reader used is an omnidirectional bar code reader so that the payment card/device of 
the present invention need not be aligned in any specific orientation with regard to the 
reader. Since payment account digits are communicated via the bar code, this 

30 payment card/device would not suffer from the same potential for theft of information 
as an RF-only payment device. 

While a preferred distribution arrangement for payment account 
information has been described, payment account information may be distributed in 
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any manner between the two technologies on the payment card, so long as the reading 
of the account information stored in one technology does not compromise the 
account. In practice, since mail order and telephone order transactions may use only 
the PAN and the expiry date, it is preferred that the PAN and expiry date not be 
5 readable using the same technology. 

Fig. 2 is a flow chart of an authorization and authentication process 
between a payment card and a terminal according to a preferred embodiment of the 
present invention. Preferably, the payment card used in Fig. 2 includes both an 
optical bar code and an RF ID chip. Preferably, the RF ID chip performs the 
1 0 following functions: 

• securely store a unique per-card cryptographic key; 

• support a cryptographic algorithm to calculate an 
authentication code; 

• maintain a transaction counter and increment the transaction 
1 5 counter before a predefined event, such as before each 

transaction or after each time a challenge number is presented 
to the card; 

• store Track 2 data (as issued by the payment card issuer); 

• format the Track 2 discretionary data field with the chip- 
20 calculated authentication data; and 

• support the following commands for the transaction processing: 

- Write Data. This command is needed to send a 
challenge number produced by the terminal to the RF 
ID device. Upon receipt of the challenge number, the 

25 RFDD device should increase its transaction counter, 

calculate the authentication code, and format Track 2 
discretionary data with the chip authentication data. 
The terminal challenge number may be a random 
number or it may be fixed (for example, to be the last 

30 two digits of the terminal serial number). 

— Read Data. This command is needed to read 
Track 2 data. When the Read Data command is 
performed before the Write Data command, the 
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chip returns Track 2 data as stored in the device 
without authentication data. This can 
accommodate specific encoding, like a language 
code, which may be found in some Track 2 
5 discretionary data on current cards, which would 

allow the terminal to interact with the cardholder in the 
cardholder's chosen language. When the Read Data 
command is performed after the Write Data command, 
the chip returns Track 2 with the discretionary data 
1 0 replaced with the authentication data. 

Preferably, the RF chip calculates an authentication code for 
verification by the issuer using its unique cryptographic authentication key and the 
following data: 

• the PAN digits, if any, from the RF chip Track 2 data; 
15 • the Expiry Date (4 BCD characters) from the RF chip 

Track 2 data; 

• the Service Code (3 BCD characters) from the RF chip 
Track 2 data; 

• the value from the counter maintained by the RF chip 
20 (preferably, the counter is a minimum of 15 bits); and 

• the challenge number (preferably 2 BCD characters) 
provided by the terminal. 

The preferred method for calculating an authentication code is the 

following: 

25 1 . Construct a string of bits by concatenating (left to right) the 

four rightmost bits of each digit of the PAN if any, the Expiry Date (4x4 = 16 bits), 
and the Service Code (3x4=12 bits). Also concatenate to the bit string the Radio 
Frequency Chip counter (15 bits) and the challenge number (2x4 = 8 bits) provided 
by the terminal. Pad the bit string with binary zeros to a multiple of 64 bits (total of 

30 128 bits). 
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2. Calculate a MAC (message authentication code) using the 
Radio Frequency Chip secret and unique authentication key (single or douhle length) 
using DES. 

3 . Map the hexadecimal result of step 2 above into a set 

5 containing groups of 3 numeric digits. Use the 3 numeric digits resulting from the 
mapping operation as the authentication code. 

The Radio Frequency Chip (or optionally the terminal) preferably 
converts the 15-bit Radio Frequency Chip counter to BCD as follows: 

1 . Select the leftmost 3 bits of the counter add a zero bit to the left 
10 and convert to BCD. 

2. Select the next 3 bits of the counter add a zero bit to the left and 
convert to BCD. 

3. Perform step 2 an additional 3 times to translate the 15 bit 
counter to 5 BCD characters. 

1 5 Note that using the above method for converting the counter to BCD, 

each BCD digit will range from 0 to 7. The method is suggested to simplify 
implementation in a chip. Alternately, the counter can be converted to decimal then 
to BCD provided that the conversion is done the same on the issuer host system. It 
would then be possible to increase the size of the binary counter to 20 bits (5 BCD 

20 characters, 4 bits per char). 

Preferably, the Radio Frequency Chip device replaces the discretionary 
data of Track 2 with the authentication code (3 BCD characters), the Radio Frequency 
Chip counter (5 BCD characters), and the terminal challenge number (2 BCD 
characters), and makes the re-formatted Track 2 data available for reading by the 

25 terminal. Preferably, for increased security, it is up to the issuer to allocate the 

number of characters to be used for the authentication code, counter, and challenge 
number. Per-issuer allocation can make it harder to decipher the data in the 
discretionary data field. 

Preferably, the terminal in the embodiment of Fig. 2 performs at least 

30 the following functions: 
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• Generate a challenge number (as described above), either 
randomly or a fixed value (preferably coded as 2 BCD 
characters). 

• Support the Write Data command to present the challenge 
5 number to the Radio Frequency Chip device. 

• Support the Read Data command. As described above, the 
Read Data command may be used before or after the 
Write Data command. If the Read Data command is 
performed before the Write Data command, the terminal 

1 0 seeks to read Track 2 data from the Radio Frequency 

Chip as issued by the card issuer. In some countries, for 
example, a language code or other country specific 
information is included in the Track 2 discretionary data 
field, which the terminal may need to operate. If the 

15 Read Data command is issued after the Write Data command, 

the terminal seeks to obtain Track 2 data containing the Radio 
Frequency Chip authentication data in the discretionary field. 

• Verify the Track 2 Expiry date and Service Code. 

• Optionally request the entry of an on-line PIN on a secure PIN- 
20 pad for verification by the issuer. 

Returning to Fig. 2, in step 100, the payment card is placed in the 
proximity of the card reader of the terminal to initiate the transaction. The card reader 
includes both an optical bar code reader and an RF transmitter/receiver. In step 102, 
the card reader reads the PAN data encoded in the bar code on the payment card. 

25 In step 104 (which could be performed before, after, or simultaneously 

with step 102), the terminal optionally sends a Read Data command to read the Track 
2 data stored in the RF chip. From the Track 2 data, the terminal extracts data it may 
need to conduct the transaction as, for example, a language code. 

Li step 106, the terminal sends a Write Data command with a challenge 

30 number to the payment card. 
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In step 108, the RF chip on the payment card calculates an 
authentication code using its cryptographic key with its internal data (as specified 
above) and the challenge number sent by the terminal. 

hi step 1 10, the RF chip formats the Track 2 data to be sent to the 
5 terminal, replacing the discretionary data with the authentication code and other 
values as specified above. 

In step 1 12, the terminal performs a Read Data command and reads the 
new Track 2 data, including the authentication code. The Track 2 data does not 
include the full PAN. It may include a portion of the PAN if only a portion is 
1 0 encoded in the bar code. In the case where the full PAN is encoded in the bar code, 
the Track 2 data may include blank or null data in the spaces reserved for the PAN or 
the PAN data need not be transmitted at all. 

In step 114, the terminal prepares an authorization request with Track 2 
data. The authorization request Track 2 data is generated from the PAN obtained 
1 5 from the bar code on the payment card and the remaining Track 2 data obtained from 
the RF chip. 

In step 116, the authorization request is sent in a convention manner 
through one or more existing payment networks. Upon receipt of the authorization 
request by the issuer of the payment card, the issuer derives the unique cryptographic 
20 key assigned to the payment account number and validates the authentication code in 
the Track 2 discretionary data field. If the authentication is successful and if other 
authorization parameters are satisfied (e.g., sufficient credit in the cardholder's 
account), the issuer may authorize the transaction. Otherwise, the issuer may reject 
the transaction. 

25 In step 118, the authorization response is received at the terminal in a 

conventional manner through the existing payment networks and the transaction is 

completed or rejected based on the response. 

Although the present invention has been described with reference to 

certain preferred embodiments, various modifications, alterations, and substitutions 
30 will be known or obvious to those skilled in the art without departing from the spirit 

and scope of the invention. 
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I CLAIM : 

1 . A system for conducting financial transactions comprising: 
payment cards having stored account information including a 

first portion readable by a first machine-readable technology and a second portion 
5 readable by a second different machine-readable technology; and 

terminals employing both of said first and second technologies 
to capture said portions of said card account information for conducting each such 
transaction. 

2. The system of claim 1, wherein said first and second machine- 
10 readable technologies are either bar-code technology, radio-frequency (RF) 

technology, magnetic stripe technology, optical character recognition (OCR) 
technology, audio-tone technology or infra-red technology. 

3. The system of claim 2, wherein said first machine-readable 
technology is bar-code technology and said second different machine-readable 

1 5 technology is radio-frequency (RF) technology. 

4. The system of claim 3, wherein said stored account information 
includes a payment account number and an expiration date, and wherein said first 
portion is said payment account number and said second portion is said expiration 
date. 

20 5. The system of claim 3, wherein said stored account information 

includes a payment account number, and wherein said first portion includes one or 
more digits of the payment account number and said second portion includes one or 
more different digits of said payment account number. 

6. The system of claim 5, wherein said first portion includes at 
25 least digits of the payment account number representing a bank identification number. 

7. The system of claim 3, wherein said stored account information 
includes a payment account number, an expiration date, a service code and 
discretionary data. 



WO 03/050749 



12 



PCT/US02/39249 



8. The system of claim 7, wherein said information is processed 
over a payment network. 

9. The system of claim 1, wherein at least one of said terminals is 
equipped with both an optical bar code reader and an RF receiver for receiving 

5 respectively said first and second portions of stored account information from said 
card. 

10. The system of claim 9, wherein said terminal combines said 
received infoimation for processing over a payment network. 

11. A method for conducting a financial transaction over a 
10 communications network comprising a payment card, a terminal, and a payment 

network including a transaction authorization issuer, comprising: 

storing on said card account information having a first portion 
readable by a first machine-readable technology and a second portion readable by a 
second different machine-readable technology; and 
15 employing both of said first and second technologies to capture 

said card account information for conducting said financial transaction. 

12. The method of claim 1 1, wherein said first and second 
machine-readable technologies are either bar-code technology, radio-frequency (RF) 
technology, magnetic stripe technology, optical character recognition (OCR) 

20 technology, audio-tone technology or infra-red technology. 

13. The method of claim 12, wherein said first machine-readable 
technology is bar-code technology and said second different machine-readable 
technology is radio-frequency (RF) technology. 

14. The method of claim 13, wherein said stored account 

25 information includes a payment account number and an expiration date, and wherein 
said first portion is said payment account number and said second portion is said 
expiration date. 

15. The method of claim 13, wherein said stored account 
information includes a payment account number, and wherein said first portion 
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includes one or more digits of the payment account number and said second portion 
includes one or more different digits of said payment account number. 

16. The method of claim 15, wherein said first portion includes at 
least digits of the payment account number representing a bank identification number. 

5 17. The method of claim 13, wherein said stored account 

information includes a payment account number, an expiration date, a service code 
and discretionary data. 

18. The method of claim 17, wherein said information is processed 
over a payment network. 

10 19. The method of claim 1 1 , wherein said terminal is equipped 

with both an optical bar code reader and an RP receiver for receiving respectively said 
first and second portions of stored account information from said card. 

20. . The method of claim 19, wherein said terminal combines said 
received information for processing over a payment network. 

15 21. The method of claim 1 1, wherein said card includes a chip, and 

said method further comprises: 

securely storing on said chip a unique per-card cryptographic 

key; and 

supporting on said chip a cryptographic algorithm for 
20 calculating an authentication code using at least said key, said code to be used for 
verification by said transaction authorization issuer. 

22. The method of claim 21, wherein said stored account 
information includes a payment account number, an expiration date, a service code, 
and said chip maintains a transaction counter, and receives a terminal challenge 
25 number from the terminal, and 

wherein said code is calculated using at least portions of said 
key, said account number, said expiration date, said service code, a value associated 
with said counter, and said challenge number. 



WO 03/050749 



14 



PCT/US02/39249 



23. The method of claim 22, wherein said stored account 
information includes Track 2 data comprising said expiration date, said service code, 
and discretionary data, and wherein said chip is an RF chip which stores said Track 2 
data. 

5 24. The method of claim 23, further comprising: 

reformatting the discretionary data of said Track 2 data with 
said authentication code, said transaction counter, and said terminal challenge 
number; and 

making said reformatted data available for reading by said 

10 terminal. 
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